ee) HOME OFFICE 


Data Protection 


The Government's Proposals 


CM 3725 


Tn 


22501132262 


11993 


DaTA PROTECTION 


THE GOVERNMENT’S 


PROPOSALS 


PRESENTED TO PARLIAMENT BY THE SECRETARY OF STATE FOR THE HOME DEPARTMENT 


JULY 1997 


£5.80 


Cm 3725 


ae 
ae _ 


DATA 
PROTECTION 


aE 
GOVERNMENT'S 
PROPOSALS 


This paper describes the Government’s proposals for implementing the EC Data 
Protection Directive (95/46/EC). It is intended primarily for information. 
However, to the extent that the very tight timetable for preparing the necessary 
legislation permits, the Government will have regard to any comments it 
receives. It is unlikely to be able to do so for any received after 31 August. Any 
comments should be sent to: 


Graham Sutton 

Home Office 

LGDP Unit, Room 1181 
50 Queen Anne’s Gate 
LONDON SW1H 9AT 
Fax: 0171-273 3205 


Any questions about the paper should be addressed to Trudy Payne on 0171-273 
3755 or Anita Hunt on 0171-273 3723. 


The paper is available on the Internet at http//:www.homeoffice.gov.uk/ 
datap1.htm. 


The Government may make any comments it receives publicly available, unless 
respondents expressly request confidentiality. 


Foreword 
Chapter 1: 
Chapter 2: 


Chapter 3: 


Chapter 4: 
Chapter 5: 
Chapter 6: 


Chapter 7: 


Chapter 8: 


Annex: 


Introduction 
Definitions, scope and extent (Articles 2 - 4) 


The main rules governing processing (Articles 6,7,10-13, 
16 and 17) 


Special cases (Articles 8,9,14 and 15) 
Notification/Registration (Articles 18-21) 
Enforcement (Articles 22-24, 27 and 28) 


Transfers of personal data to third countries (Articles 25 
and 26) 


Transitional arrangements (Article 32) 


Summary of responses to 1996 Consultation Paper 


Page 


20 


PAM 


FOREWORD 


We all want access to the benefits which the information society can offer us. 
But we are also entitled to expect those handling information about us to do so 
properly and responsibly. Data protection is about ensuring that they do. 


Within the single market of the European Union, it is important that there should 
be common standards of data protection. This is to enable business and other 
transactions to continue unimpeded while ensuring that information about 
individuals is properly protected. That is the purpose of the EC Data Protection 
Directive. 


This paper sets out the Government’s proposals for new data protection 
legislation to give legal effect to the Directive. The proposals build on our 
existing data protection law - the Data Protection Act 1984. They attempt to 
achieve the right balance between individuals’ entitlement to privacy in the 
handling of information about them, and information users’ needs in processing 
information to provide the services which individuals require. 


The Government will be introducing the Data Protection Bill in the autumn. I 
hope that this paper will encourage and inform the debates about this issue. 


Sook is 


Rt. Hon Jack Straw MP, 
Home Secretary 


CHAPTER 1 


INTRODUCTION 


1.1 The EC Data Protection Directive 
(95/46/EC) was adopted on 24 October 
1995. EU Member States are required to 
have in place by 24 October 1998 national 
provisions giving effect to the Directive. 


1.2 The United Kingdom’s existing data 
protection legislation, the Data Protection 
Act 1984, meets many of the requirements 
of the Directive. However the Directive 
goes beyond the present law in a number 
of respects. In particular it: 


— defines certain key concepts 
differently; 


— extends data protection controls to 
certain manual records; 


— sets detailed conditions for 
processing personal data; 


— sets tighter conditions for 
processing sensitive data; 


— requires certain exemptions for the 
media; 


— strengthens individuals’ rights; 


— strengthens the powers of the 
supervisory authority; 


— sets new rules for the transfer of 
personal data outside the EU; 


— allows the existing registration 
scheme to be simplified. 


1.3. In March 1996 the previous 
Government issued a consultation paper 
(referred to in this paper as “the 
consultation paper”) seeking views on the 
implementation of the Directive in the 
UK. It received about 300 responses from 
organisations and individuals. A brief 
summary of the responses is in the Annex 
to this paper. The responses have 


contributed significantly to the 
development of the present 
Government’s implementation proposals. 


1.4 The Government plans to introduce 
a Bill this Session to implement the 
Directive. It will form part of the set of 
measures giving effect to the 
Government’s undertaking to “bring 
rights home”. Article 1 of the Directive 
requires Member States to: 


“ ... protect the fundamental rights 
and freedoms of natural persons, 
and in particular their right to 
privacy with respect to the 
processing of personal data”. 


1.5 Recital 1 in the preamble sets the 
Directive in the context of the 
fundamental rights enshrined in the 
European Convention for the Protection 
of Human Rights and Fundamental 
Freedoms (ECHR). The Government’s 
legislative programme for the present 
Session will include incorporation of the 
ECHR in UK law. 


1.6 Article 8 of the ECHR establishes 
individuals’ right to respect for their 
private life. The Directive echoes this by 
referring to individuals’ right to privacy. 
The Data Protection Bill will contribute to 
this wider right by setting out detailed 
requirements for protecting the privacy of 
personal information. The Government 
will also take the opportunity to deal with 
the outstanding ECHR judgement in the 
case of Gaskin. 


1.7. The Government also intends to 
bring forward in due course a Freedom of 


Information Bill. The proposals for this 
will be set out in a White Paper to be 
published later this year. The two sets of 
legislation will make complementary 
provision for access to personal 
information held by the public sector. The 
Data Protection Bill will also make any 
necessary provision to ensure that there is 
compatibility with the rights of access to 
personal data provided by existing 
legislation. 


1.8 Responses to the consultation paper 
showed a wide measure of agreement on 
many issues. In particular, there was little 
demand for radical change to the present 
broad structure of the UK’s present data 
protection law. While properly reflecting 
the Directive’s requirements, the 
Government proposes wherever possible 
to maintain the substance but simplify the 
procedural aspects of the present law. 
The remainder of this chapter briefly 
summarises the main elements of this 
approach. 


1.9 First, and most important, data 
protection needs to balance different 
interests. On the one hand modern society 
increasingly depends on the collection, 
storage, processing and exchange of 
information of all kinds, including 
personal information. On the other hand it 
is important to ensure that where 
information about individuals is used their 
interests, including their privacy, are 
properly respected. In bringing forward 
its Bill the Government will seek to ensure 
proper protection for information about 
individuals while avoiding unnecessary 
interference with legitimate processing. 
As far as it possibly can, the Government 
wishes to avoid placing additional 
burdens on business and other users of 
personal data. 


1.10 Second, although the present 
arrangements have many good features 
they could be operationally improved. 
The Government will use the new Bill to 
achieve this. For example many 


consultation respondents, including the 
Data Protection Registrar, made 
reasonable criticisms of the present 
registration arrangements. The 
Government welcomes the action which 
the Registrar is taking to develop a 
simpler, more helpful and more user- 
friendly scheme. It intends to incorporate 
this into the new data protection 
arrangements. 


1.11 Third, the Government believes 
that the costs of data protection should be 
met by those who process data. This 
means that they will need to continue to 
meet the costs of the supervisory 
authority; and the Government will need 
to find an equitable means of apportioning 
the costs. 


1.12 Finally, one of the strongest calls 
among consultation respondents was to 
avoid creating a two-tier data protection 
regime. The Data Protection Act 1984 
applies to a broader range of processing 
than the Directive does. The Directive 
covers only the processing of personal 
data in the course of activities within the 
scope of EC law. The UK’s law must 
clearly continue to apply to all activities 
whether or not within EC law, both to 
protect individuals and to meet this 
country’s obligations under the 1981 
Council of Europe Convention on Data 
Protection. 


1.13 Confining the new law to activities 
covered by the Directive would have 
entailed two statutory UK data protection 
regimes. This would have been difficult to 
understand, burdensome to operate and 
complex to enforce. The Bill will 
therefore establish a single overall data 
protection framework, with appropriate 
provision for activities outside the scope 
of EC law. 


1.14 The following chapters describe 
the Government’s proposals. For 
convenience they follow the same order 
as the consultation paper. 


CHAPTER 2 


DEFINITIONS, 


SCOPE 


AND EXTENT. 
GATT OL BS? =k) 


Definitions 


2.1 Although superficially similar to 
those in the 1984 Act, some of the 
Directive's definitions differ in important 
respects. The definitions play a key role in 
determining the application of the new 
law. The Government will take as its 
starting point the wording in the 
Directive, but in some cases the Bill may 
need to be more precise so as to avoid 
ambiguity. 


Article 2(a): Personal data 


2.2 As was proposed in the consultation 
paper, the Government intends to limit 
the scope of the new law to living 
individuals. 


2.3 It also proposes that the new law 
should clarify the circumstances in which 
an individual is “identifiable”. Having 
regard to recital 26, the Government 
interprets “personal data” as excluding 
anonymous information to which 
identifiers are unlikely to be capable of 
being attached. For example, where a 
person holds data which are to him 
anonymous and does not hold 
complementary information which might 
help to identify the people concerned, the 
mere existence of such information 
elsewhere should not make the data 
personal within the meaning of the 
Directive. There must be a reasonable 
likelihood of the two pieces of 
information being capable of being 
brought together. 


2.4 The 1984 Act includes within 
“personal data” expressions of opinion 
about the individual concerned. The 


Government proposes to retain this 
provision. 


2.5 The Act excludes from the definition 
intentions towards individuals. The 
Directive does not allow such an 
exclusion. Applying the Directive in full to 
such information could give rise to 
problems. For example, allowing 
individuals subject access to an 
employer’s career planning information 
could prejudice those plans. The 
Government therefore proposes to bring 
such information within the law but 
provide an appropriate exemption from 
subject access. 


Article 2(b): Processing 

2.6 This definition is much wider than 
that in the 1984 Act. It covers any 
operation involving personal data from 
their collection to their destruction, as 
well as merely holding them. 


2.7 Under the 1984 Act, the processing 
has to be “by reference to the data 
subject”. There is no corresponding 
provision in the Directive. Therefore the 
new law will need to catch any automated 
processing of personal data whether or 
not by reference to the data subject. The 
considerations applying to manual 
processing are slightly different (see 
paragraphs 2.8-2.14). Similarly, the 
Directive does not allow continuation of 
the Act’s exemption for text preparation 
(eg word processing). However, the 
Government intends to exempt such 
processing from the new notification 
requirement, if a free-standing exemption 
should prove necessary (see paragraph 
5G). 


Article 2(c): Filing system 

2.8 This definition determines which 
manual (ie non-automated) records are 
covered by the Directive. The 
consultation paper described the 
difficulties in interpreting this provision 
and the related recital 27. The application 
of data protection controls to manual 
records consisting of a “...structured set of 
personal data which are accessible 
according to specific criteria...” is one of 
the most significant changes required by 
the Directive. 


2.9 Many consultation respondents 
were concerned about the potentially 
very wide scope of this definition. They 
thought that manual filing systems not 
structured by reference to individuals but 
only incidentally containing personal data 
which are thus not readily accessible 
should be excluded. The Government 
agrees. It considers that manual data of 
this kind are clearly outside the Directive’s 
scope. It does not favour extending this 
aspect of the data protection regime 
beyond the Directive’s minimum. There 
would be great difficulty in applying the 
data protection principles and the 
Directive’s mechanisms to material not 
organised for systematic access; and the 
fact that it is not so organised provides 
some safeguard against misuse. 


2.10 In deciding which manual data 
should be covered, the Government 
believes that it is necessary to have regard 
to the thinking underlying the application 
of the Directive to non-automated 
records. It believes this has two main 
strands: that the records in question have 
to be structured by reference to 
individuals; and that the relevant data 
should be easily accessible. 


2.11 The Government has considered 
the way forward in the light of these 
considerations. It has also had regard to 
the provisions likely to be made in other 
EU Member States. It has concluded that 


the right approach is to apply the 
Directive to those non-automated records 
which are structured by reference to 
individuals or criteria relating to 
individuals, and which allow easy access 
to the personal data they contain. 


2.12 This approach would cover card 
indexes, microfiches and similar 
collections from which personal data are 
capable of being readily extracted. It 
would also include files about named 
individuals in which each item has an 
internal structure conforming to some 
common system. An example might be a 
file with the subject’s name or another 
unique personal identifier on the cover, 
and containing one or more pro-formas. 


2.13. This leaves those files about named 
individuals whose contents are not 
structured by reference to information 
about those individuals. An example 
might be a file with the subject’s name on 
the cover and containing a variety of 
papers in date order with no simple, 
systematic means of readily identifying 
specific personal data. Such files would 
not be caught by the definition. Recital 27 
makes this clear. It says “... files or sets of 
files as well as their cover pages which are 
not structured according to specific 
criteria, shall under no circumstances fall 
within the scope of this Directive”. 
However, there may be circumstances in 
which some of the personal data on the 
file are capable of being readily identified 
and retrieved. For example a document 
containing personal data of a particular 
kind could have been flagged on 
successive files in a series. In this case the 
personal data on the flagged documents 
could be caught, although the rest of the 
files might not. 


2.14 The Government recognises that 
these arrangements are complex. 
However, experience from other 
countries which already apply data 
protection laws to manual records 
suggests that there is no easy solution. The 


Government believes that its proposed 
approach properly targets data which 
could be processed systematically, and 
that it is broadly similar to that followed 
by some of our EU partners. 


Article 2(d): Controller. 


2.15 This definition corresponds 
broadly to that of “data user” in the 1984 
Act. The Bill will make corresponding 
provision. (See also paragraph 2.17). 


Article 2(e):; Processor 


2.16 Superficially this definition 
corresponds to that of “computer bureau” 
in the 1984 Act. However, the very much 
wider definition of “processing” in the 
Directive means that this definition is also 
much wider. For example, it will include a 
person who collects data on behalf of the 
controller. 


Article 2(f): Third party 

2.17 This definition will follow broadly 
that in the Directive. It will exclude 
employees, agents and contractors of 
controllers and processors, who will be 
taken as working “under the direct 
authority of the controller or the 
processor”. There will be no need for 
them to have an express authorisation to 
process data. The authorisation will be 
taken as flowing from their normal 
employment or contract with the 
controller. 


Article 2(g): Recipient 

2.18 The purpose of this definition is to 
identify as “recipients” all people, 
including employees of the controller, 
who will or may have access to the 
personal data in question. The effect is to 
require the controller to identify them or 
categories of them when he has to 
provide information about recipients to 
data subjects under articles 10 or 11 in 
order to guarantee fair processing. This 
information must also be provided in 
connection with notification and publicity 
under articles 18, 19 and 21. 


2.19 Inaccordance with the second 
limb of article 2(g), an authority which 


asks another organisation for information 


about one or more specific individuals 
will not be a “recipient”. An example 
might be a local authority asking another 
for information about one named 
individual in order to deal with a problem 
facing that person. Since one-off inquiries 
of this kind are unpredictable, it would be 
difficult for those making them to be 
identified as recipients for the purposes of 
the relevant articles of the Directive. The 
context suggests that the reference in this 
provision to an “authority” should be 
taken as meaning a “public authority”. 


Article 2(h): Consent 


2.20 The Bill will follow broadly the 
definition in the Directive. 


Scope 


2.21 As noted in the introduction, the 
Government proposes that the new law 
should apply to processing related to,all 
types of activity, whether or not they 
come within the scope of EC law. 
Appropriate provision will be made 
within the Bill for activities outside the 
scope of EC law. As regards natidnal 
security, the Government intends to make 
provision corresponding to that in section 
27 of the 1984 Act. 


2.22 In accordance with the second part 
of article 3(2), the new law will exempt 
processing by natural persons in the 
course of purely personal or household 
activities. 


Geographical extent 


2.23 Subject to further discussion with 
our EU partners, for the purposes of 
determining the geographical extent of 
the new law the Bill will apply the 
interpretation of article 4 set out in the 
consultation paper. UK law will therefore 
apply to processing: 


— byacontroller established only in 
the UK; 


— forthe purposes of the UK branch 
of a controller established in more 
than one EU country; 


— byacontroller established outside 
the UK but in a place where UK 
law applies; 


— byacontroller not established in 
the EU but who uses equipment in 
the UK. 


In the last case, the organisation must 
designate a representative in the UK. 


2.24 The second indented part of article 
17.3 slightly modifies these arrangements. 
It requires the law governing the security 
arrangements applying to processors to be 
that of the country in which the processor 
is established. 


CHAPTER 3 


THE MAIN 


RULES GOVERNING 


PROCESSING 
CARTILGLES 6, 7, 
POS eo oO AN Doty) 


Safeguards 


3.1 Various articles of the Directive 
require the provision of safeguards in 
connection with certain processing or 
exemptions. These include article 6.1(b) 
and 6.1(e), article 8.2(b), 8.4 and 8.5, 
article 11.2 and article 15.2. 


3.2 The Government has identified 
possible safeguards for some of these 
provisions (see paragraphs 3.7 and 3.12). 
Others might include: 


— _ restrictions on the use to which the 
data may be put, the people to 
whom they may be disclosed, or 
the time for which they may be 
held; 


— aprohibition on identifying the 
data subjects; 


— arequirement to anonymise the 
data as far and as quickly as 
possible; 


— arequirement to separate out 
identification data and store them 
separately; 

— arequirement to give access to the 
data only on “a need to know” 
basis; 

— arequirement to comply witha 
sectoral code of practice. 


Data Protection Principles 


3.3. The Government intends to follow 
the approach in the 1984 Act by retaining 
eight data protection principles 
accompanied by statutory interpretation 
provisions. The corresponding Directive 
provisions are found in articles 6, 12 and 
Li 


3.4 The 1984 Act’s principle 8, dealing 
with security, applies to computer 
bureaux as well as to data users. Article 17 
of the Directive has a similar effect, 
applying the security principle to 
processors and those acting under their 
authority as well as to controllers. 


3.5 Under the 1984 Act action for non- 
compliance with the data protection 
principles may only be taken against 
registered data users. As required by the 
Directive, the new law will require a/l/ 
controllers to comply with the principles 
irrespective of any notification 
requirement. 


3.6 The first six principles in schedule 1 
to the 1984 Act should require only minor 
adjustment to reflect the slightly different 
wording in the Directive. However, 
articles 12 (on subject access) and 17 (on 
security) are more detailed than principles 
7 and 8 in the Act and may require wider 
amendment. 


3.7 Inaddition, articles 6.1(b) and 6.1(e) 
require appropriate safeguards for the 
further processing or retention for 
historical, statistical or scientific purposes 
of personal data collected for other 
purposes. Recital 29 says that such further 
processing must not be used in support of 
measures or decisions about an individual. 
Another possible safeguard might be 
modelled on the one found in the 1984 
Act, to the effect that damage or distress 
must not be caused to any data subject 
(see paragraph 7 of the interpretation 
provisions in schedule 1 to the Act). 


3.8 Some of the interpretation 
provisions in schedule 1 to the Act are 
likely to need substantial revision. In 
particular, changes will be required to 
take account of the fact that compliance 
with the principles will be separated from 
registration. For example, the Bill will 
need to amend principle 2 which provides 
that the requirement for purposes to be 
specified is satisfied only if the purposes 
are registered. 


Criteria for processing 


3.9 To the extent that the sense of the 
provisions of article 7 is clear and 
unambiguous, the Government proposes 
to give effect to article 7 in broadly the 
form in which it appears in the Directive. 
Where there is ambiguity, some 
elaboration may be necessary. 


Informing the data subject 


3.10 As with article 7, the Government 
believes that articles 10 and 11 can best be 
implemented through provisions 
expressed very similarly to those in the 
Directive. This will give data controllers 
reasonable flexibility in how they comply 
with the requirements. 


3.11 For example, the Government 
proposes that it should be left to the 
controller to determine, in the first 
instance, the circumstances in which the 
further information mentioned in articles 
10(c) and 11.1(c) needs to be provided in 
order to guarantee fair processing. 


3.12 Similarly, the Government 
proposes that it should be for controllers 
to decide whether, in a particular case, 
disproportionate effort would be involved 
in providing the information required 
under article 11.1; and whether they can, 
therefore, rely on the derogation in article 
11.2. A possible safeguard might be to 
require the controllers to provide the 
information when they first make contact 
with the data subject. 


Subject access 


3.13. The Bill will maintain the general 
approach to subject access set out in 
section 21 of the 1984 Act. However, 
some adjustments will be necessary in 
order to give effect to the additional 
requirements of article 12 of the 
Directive. 


3.14 The Government intends to put an 
end to the practice of “enforced subject 
access”. On 29 May, it wrote to 
employers’ organisations and others 
concerned seeking views on the best way 
of doing this. It is considering the 
responses and will announce separately 
how it plans to deal with this in the new 
law. 


3.15 The 1984 Act requires the data user 
to provide the data subject with an 
intelligible copy of relevant data in 
response to a subject access request. The 
new law will take advantage of the 
flexibility provided by the Directive 
which allows communication of the 
information “in an intelligible form”. This 
could include electronic communication 
and possibly other means. The choice will 
be for data subjects. They will still be able 
to request a hard copy of the information, 
which will have to be granted except in 
limited cases where this is unreasonable 
or involves disproportionate effort. 


3.16 The third sub-paragraph of article 
12(a) requires the controllers to make 
known to data subjects who request 
subject access the logic involved in 
automatic processing of data about them. 
As permitted by the Directive, the 
Government proposes to limit the 
application of this provision to those fully 
automated decisions set out in article 15. 


3.17. The purpose of this provision is to 
ensure that individuals are able to secure 
sufficient information to be able to satisfy 
themselves that their personal data have 
been properly processed. However, 


recital 41 confirms that it is not intended 
to allow “trade secrets or intellectual 
property” to be adversely affected. The 
Government therefore believes that the 
requirement should normally be capable 
of being satisfied through the provision of 
general information about the logic 
involved, rather than a detailed 
explanation of key processes which might 
put the basis of the operation in jeopardy. 


3.18 The Government does not propose 
to change either the £10 maximum 
subject access fee or the requirement to 
meet the request within 40 days (though 
both will be amendable by Statutory 
Instrument). However, the 40 days will 
only start running when both any 
payment which is required and the 
information enabling identification of the 

- material requested etc. have been 
received. The 1984 Act requires only the 
second condition to be met. This change 
should help reduce those subject access 
requests which involve organisations in 
time-consuming and expensive work but 
are not followed up. 


Confidentiality and security 


3.19 Article 16 on confidentiality is dealt 
with in paragraph 6.4; and article 17 on 
security in paragraphs 2.24 and 3.3-3.8 
above. 


Exemptions 
Subject access 


3.20 The 1984 Act provides fora 
number of exemptions from its subject 
access provisions. These relate to: 


* 


third party identification 

(S.21(4)(b)); 

* the prevention or detection of 
crime; the apprehension or 
prosecution of offenders; or the 
assessment or collection of a tax or 
duty (S.28(1) and (2)); 

* judicial appointments (S.31(1)); 

* legal professional privilege 

(S.31@2)); 


research or statistical purposes 


(S.33()); 
* back-up data (S.34(4)); 


exposure to criminal proceedings 


(S.34(9)); 


examination results (deferral) 
S35); 


human embryology (s.35A); 


various matters relating to health, 
social services, regulation of 
financial services etc (Orders made 
under 1984 Act). 


With the exception of back-up data (for 
which there is no provision in the 
Directive) the Government believes that 
the effect of all these exemptions can and 
should be preserved. 


3.21 The additional requirements of the 
Directive, in particular the inclusion of 
certain manual records, mean that some 
extension of the existing exemptions is 
needed. For example, it will be necessary 
to cover matters such as the investigation 
and enforcement work of regulatory 
authorities where the suspect activity is 
not a criminal offence. 


3.22 Inaddition the Government 
believes that it may be necessary to 
provide exemptions for: 


* data revealing the intentions of the 
controller in respect of the data 
subject (see paragraph 2.5 above); 


employment and academic 
references provided in confidence; 


* data concerning honours and 
public appointments; 


* examination scripts. 


3.23. Insome cases, the exemptions will 
need to cover the information which 
articles 10 and 11 require to be provided 
as well as subject access. 


Non-disclosure 


3.24 


The 1984 Act also provides for 


exemptions from the restrictions on 
disclosure. These relate to: 


Ea 


* 


national security (S.27@)); 


the prevention or detection of 
crime; the apprehension or 
prosecution of offenders; or the 
assessment or collection of tax or 
duty (S.28@Q)); 


a requirement of law (S.34(5)(a)); 


obtaining legal advice in the course 
of legal proceedings (S.34(5)(b)); 


10 


B25 


disclosures to the data subject ora 
person acting on his behalf 
(S.34()(a)); 

disclosures at the request or with 
the consent of the data subject 
(S.34(6)(b)); 

disclosures to a servant or agent of 
the data user (S.34(6)(c)); 
disclosures urgently required to 
prevent injury (S.34(8)). 

The Government believes that all 


the exemptions remain necessary and 
intends to preserve their effect, consistent 
with the requirements of the Directive. 


CHAPTER 4 


DRPECTIAL CASES 
CARTICLES 8, 9, 
PAVE ND. bS) 


Sensitive data 


4.1 As explained in the consultation 
paper, special rules on the processing of 
sensitive data will effectively be new to 
UK data protection law. Subject to the 
following comments, the new law will 
make provision corresponding to article 
8.1 -8.3. The law will be cast in a general 
way to permit the greatest flexibility for 
controllers in how they comply with these 
provisions. 


4.2 Article 8.2(b) allows the processing 
of sensitive data “in the field of 
employment law” in certain 
circumstances. The Government believes 
that this expression includes not only 
specific employment legislation such as 
the Employment Rights Act 1996 but also 
other rules of law relating to employment. 
For example, the rights and duties under 
anti-discrimination and health and safety 
legislation constitute a significant part of 
the law on employment. The Government 
intends to give effect to article 8.2(b) 
consistently with this interpretation. 


4.3 The consultation paper identified 
the possibility that under article 8.2(c) a 
person might seek to endanger another 
person’s interests by deliberately 
withholding consent. The Government 
will have regard to this concern in 
preparing the Bill. 


4.4 The first part of article 8.2(e) can be 
read as allowing the processing of 
sensitive data either where they are 
generally obvious (eg a disablement or 
racial origin) or only where the data 
subject has taken a deliberate step to 
make them public. Having regard to the 


vere 


general restrictions in and intention of 
article 8, the Government proposes to 
apply the second, more restrictive 
interpretation. 


4.5 The Government interprets the 
second part of article 8.2(e) as allowing 
the processing of sensitive data where 
that is necessary for the purpose of 
obtaining legal advice, asserting legal 
rights and involvement in legal 
proceedings. 


4.6 Article 8.4 allows further 
exemptions from the prohibition on 
processing sensitive data for reasons of 
substantial public interest, subject to the 
provision of suitable safeguards. The 
Government is considering for exemption 
under this provision data held for the 
purposes of: 


Seeimedicalitesearch: 


* personal social services; 


* political canvassing; 


monitoring ethnic origin, 
disabilities or, in Northern Ireland, 
religion; 

Government statistics, social 
security and certain other functions 
of central and local Government 
still under consideration; 


* the prevention and detection of 
crime etc. 


4.7 The safeguards might be drawn from 
among those mentioned in paragraph 3.2 
above. Alternatively safeguards specific to 
the particular material processed might be 
appropriate. For example, in the case of 
medical research there might be a 
requirement for prior approval of the 
project by a research ethics committee. 


Criminal records 


4.8 Article 8.5 deals with the processing 
of personal data relating to offences, 
criminal convictions and security 
measures. The new law will specify that 
such processing may be carried out under 
the control of official authority. The 
Government also proposes to allow 
processing of such data in other 
circumstances where suitable specific 
safeguards are complied with. 


Personal identifiers 


4.9 The Bill will make provision 
consistent with article 8.7. 


Journalism and artistic or literary 
expression 


4.10 As noted in the consultation paper, 
unlike the Directive the 1984 Act has no 
exemptions for processing for the 
purposes of journalism or artistic and 
literacy expression. The consultation 
paper also made clear that a blanket 
exemption was not possible. 


4.11 How far the new data protection 
law should apply to journalistic and 
similar purposes raises very difficult 
points of principle about the rights and 
responsibilities of the media. The key 
issue is how to balance the individual’s 
legitimate expectation of privacy against 
the public’s right to know. This balance is 
far from easy to strike. 


4.12 The Government has had detailed 
discussions with representatives of the 
press and the broadcasters about this very 
difficult issue. Useful progress has been 


made, but this work needs to be 
completed before firm decisions are taken 
about the precise scope of the 
exemptions under article 9. The 
Government will announce its decisions 
on this separately in due course. 


The data subject’s right to object 


4.13 Article 14(a) creates a right to 
object to lawful processing in certain 
circumstances. The new law will allow 
exercise of this right where article 7(e) or 
(f) provides the justification for 
processing. The Government is still 
considering in what circumstances it 
might be necessary to allow the right to be 
overridden. 


4.14 Inaccordance with the first part of 
article 14(b) the Government intends to 
provide for data subjects to be able to 
object free of charge to their personal data 
being used for direct marketing purposes 
(ie to opt out). However, where sensitive 
data are involved explicit consent (ie 
opting in) may be needed. The 
Government is still considering how best 
to give effect to the requirement for data 
subjects to be made aware of their right to 
object. 


Automated decision-making 


4.15 The Government proposes that the 
new law should make provision broadly 
comparable to that in article 15. In the 
first instance it would be for controllers to 
decide whether or not their automated 
decision-making is covered by the 
provisions giving effect to article 15.1 

and 15.2. 


CHAPTER 5 


NOTIFICATION/ 


REGISTRATION 
CARTIGHuES 16-2 13 


The new arrangements 


5.1 In accordance with the strongly 
expressed views of respondents to the 
consultation paper, the Government 
intends the new notification arrangements 
to be much more straightforward than 
registration is at present. The Bill will 
provide for the supervisory authority to 
draw up the details of the scheme and 
submit it for approval by the Secretary of 
State. 


5.2 The Government proposes to base 
the scheme on the one the Data 
Protection Registrar is currently 
developing. Following her 1996 
consultation exercise on registration the 
Registrar has further refined her 
proposals. The Government believes that 
these will be simpler, more readily 
understandable and more useful for data 
controllers, individuals and the 
supervisory authority. 


5.3 The key features of the proposed 
scheme are: 


* arange of methods of notifying 


(including on-line access); 

a greatly simplified format 
(including the use of standard 
packages); 


minimising the detail the controller 
has to provide. 


5.4 Asat present, there will be a fee for 
notification. The revenue it generates will 
continue to offset the costs of the 
supervisory authority. The Government 
therefore believes that it would be 
equitable to require fairly wide 
notification. 


13 


5.5 However, within this broad 
approach the Government believes that it 
is desirable to exempt certain processing 
operations from notification. In her 1996 
Consultation Paper on the Revision of 
Registration Methods, the Data Protection 
Registrar identified a number of “standard 
core purposes”. The Government 
understands that the Registrar has done 
further work on the categories. They now 
comprise: 


* payroll, personnel and work 


planning administration; 
purchase and sales administration; 


advertising, marketing and public 
relations; 


* general administration. 


The Government intends to exempt from 
compulsory notification processing 
operations carried out for these purposes. 


5.6 The Government also proposes 
certain further exemptions. Some deal 
with existing exemptions which are not 
covered by the “standard core purposes”. 
Others reflect regime changes made by 
the Directive. These further exemptions 
include: 


* processing for the purpose of 


holding registers and other data 
required by law to be made public; 


processing in connection with 
mailing and membership lists (as in 
section 33 of the 1984 Act); 


* processing by certain non-profit- 
making organisations in 
accordance with article 8.2(d); 


os 


processing of bibliographic data; 


* word processing Gf not covered by 


other exemptions). 


5.7 The Government proposes not to 
apply the requirement to notify to manual 
records. In addition, it will end the 
existing requirement for head teachers 
and Governors of schools to register 
separately. 


5.8 The Government is currently 
estimating the likely costs of the 
supervisory authority under the new law, 
and will determine the fee level in that 
context. It will keep average fees as low as 
possible. It is also considering revising the 
fee structure to take some account of 
organisations’ size or range of processing. 
The options include a tiered structure or 
paying a fee for each notified purpose. 


5.9 The Government proposes to end 
the requirement for a fresh registration 
every 3 years. Fees will be paid annually, 
with direct debit and similar arrangements 
available. Organisations will need to take 
no further action beyond informing the 
supervisory authority as and when there is 
a change in the notified information. 


5.10 Since notification is one way of 
discharging the requirement for publicity 
in article 21 of the Directive, organisations 
exempt from the notification requirement 
will be able to notify voluntarily. This 
option will also be available for manual 
records. 


“In-house” data protection officials 


5.11 The responses to the consultation 
paper indicated some interest in the 
concept of “in-house” data protection 
officials, provided for by article 18.2 of the 
Directive. However, very few 
organisations said that they would take 
advantage of such arrangements were 
they available. Bearing in mind the 
amount of work needed to prepare for the 


14 


main régime, the Government proposes 
that the new law should enable an “in- 
house” officials scheme to be established 
subsequently by subordinate legislation. 
In the light of the operation of the new 
law, it will consider whether the 
alternative arrangements should be 
introduced in due course. 


Information to be notified 


5.12 The new law will require 
notifications to cover the information 
specified in article 19. 


Prior checking 


5.13. The Government is considering 
which categories of processing operation 
should be subject to the prior checking 
system required by article 20. It wishes to 
limit them to the minimum consistent 
with the need to provide adequate 
protection for individuals in the light of 
the tight criteria set out in the Directive. 
No decisions have yet been taken, but the 
Government is currently considering 
whether there is a case for prior checking 
some processing operations involving 
data matching, genetic data and private 
investigation activities. The proposed 
prior checking mechanism is described in 
paragraph 6.10. 


Transparency 


5.14 Provision will be made in 
accordance with article 21.2 for notified 
information to be held in a register 
maintained by the supervisory authority. 
The register will be open for public 
inspection. The Data Protection Registrar 
is developing proposals to make the 
register more accessible to individuals, 
including through on-line access, and to 
make the information provided more 
readily comprehensible and useful. There 
will be a duty on the supervisory authority 
not to disclose information relating to 
security measures (i.e that referred to in 
article 19.1(@)) when the register is 
interrogated. 


5.15 As noted in paragraph 5.10, 
notification is one means of meeting the 
requirement for transparency in article 21. 
The new law will make provision similar 
to that in article 21.3 for controllers of 
processing operations who do not need or 
choose not to notify to publicise by other 
means the information set out in article 
19.1(a) - (e). This transparency 


HSS 


requirement applies to controllers 
processing manual records as well as to 
those processing automated personal 
data. 


5.16 Registers of the kind described in 
the second paragraph of article 21.3 will 
be exempt from the publicity 
requirement. 


CHAPTER 6 


ENFORCEMENT 
CARTIiCL Es 2 2-24, 
2 OE 2-8) 


6.1 The majority of respondents to the 
consultation paper favoured retaining 
broadly the existing enforcement 
arrangements, with which they were 
familiar and which they believed worked 
well. The Government agrees that the 
existing arrangements should form the 
basis for the arrangements under the new 
law. However the Directive requires 
certain changes, and the Government also 
intends to take the opportunity to 
streamline the present arrangements. 


Breaches relating to notification/ 
registration 


6.2 Broadly as at present, for 
organisations which are required to notify 
the supervisory authority of processing 
operations, it will be an offence to fail to 
do so and to fail to provide accurate 
information. Failure to inform the 
supervisory authority of changes of 
address will also remain an offence. 


6.3 Failure to inform the supervisory 
authority of other changes to notified 
information Cie failure to keep the 
notification up to date) will be subject to 


an enforcement notice. 


6.4 The present law makes it an offence 
knowingly or recklessly to process data in 
breach of the register entry. The new law 
will deal with this behaviour in a different 
way. Where the controller or a person 
acting in accordance with the controller's 
instructions processes data inconsistently 
with the notified information, the 
enforcement notice procedure will apply. 
To meet the requirement of article 16 of 
the Directive it will be an offence for the 
processor or an employee of the 


16 


controller or the processor to process data 
knowingly or recklessly otherwise than in 
accordance with the instructions of the 
controller, unless there is a requirement in 
law to do so. 


6.5 The Government intends to preserve 
the present offences of unlawfully 
procuring and selling personal data. It will 
be necessary to reformulate them to take 
account of the changes to the registration 
arrangements. 


Other breaches 


6.6 As now, where the supervisory 
authority considers that the data 
protection principles are being breached 
it will be able to issue an enforcement 
notice requiring change to the controller’s 
practice. The Government proposes that 
this procedure should embrace other 
breaches of the new law. These will 
include transfers made improperly to a 
third country with inadequate levels of 
protection (see paragraph 7.2); and failure 
to meet the transparency requirement 
(see paragraph 5.15). 


6.7 The Government proposes a new 
power for the supervisory authority to 
require controllers to provide information 
in certain limited circumstances. These 
are where the supervisory authority has 
reason to suspect that the new law is 
being breached; or where it needs the 
information to investigate properly a 
complaint made by a data subject in 
accordance with article 28.4 of the 
Directive. Where the information is 
refused, the supervisory authority will be 
able to issue an enforcement notice 
requiring its provision. The existing 


power for the supervisory authority to 
seek a warrant will be retained to support 
this. 


Enforcement notices: procedures and 
appeals 


6.8 The Government proposes that the 
procedure for issuing an enforcement 
notice should ensure that the supervisory 
authority explains: 


the suggested remedial action; 


any necessary immediate 
enforcement or remedial action; 


the right to make representations 
before any action is taken; 


the right of appeal. 


6.9 As now, failure to comply with an 
enforcement notice will be an offence; 
and appeals against enforcement notices 
will be to the Data Protection Tribunal. 
Processing will be able to continue until 
the outcome of the Tribunal hearing is 
known. To the extent that they are 
consistent with the nature of this 
Tribunal, the procedures in the 
Deregulation (Model Appeal Provisions) 
Order 1996 will be applied. 


Prior checking 


6.10 Under the present law processing 
may lawfully begin once the application 
for registration has been made. The new 
law will preserve this provision for the 
great majority of processing. However, 
those operations subject to prior checking 
(see paragraph 5.13) will not be allowed 
to start until they have been checked by 
the supervisory authority. The supervisory 
authority will be required to carry out that 
check and give its opinion to the 
controller within, say, 15 working days of 
receiving the application. The opinion 
may take the form of a notification to the 
controller that the supervisory authority is 
minded to issue an enforcement notice; or 
a statement to the effect that it does not 
intend to take any further action in the 
context of the prior checking exercise. In 


U7, 


either case, the processing may go ahead. 
If the controller decides to go ahead, he 
will of course be at risk of subsequent 
challenge from the supervisory authority 
for any breach of the Act. 


Individuals’ remedies 


6.11 The Directive establishes a number 
of rights for individuals. The new law will 
enable individuals who believe any of 
these rights to have been breached to seek 
a remedy in the courts. The remedy 
available will match the nature of the right 
breached. For example, where the right of 
subject access has been improperly 
refused the court will be able as now to 
make an order requiring the controller to 
give access. 


6.12 As now, individuals will be able to 
complain to the supervisory authority 
about any alleged breach of the new law. 
The supervisory authority will be under a 
duty to consider complaints of substance. 


6.13 Individuals will also be able to seek 
compensation directly in the courts for 
damage, and associated distress, arising 
from any breach of the new law. Defences 
comparable to those in the present law 
will be provided. 


The supervisory authority 


6.14 The Government intends to 
designate the Data Protection Registrar as 
the data protection supervisory authority. 
The Directive requires this to be a public 
authority. The office of the Data 
Protection Registrar has overseen the 
operation of the present data protection 
regime since its introduction. It has 
acquired valuable and unique experience 
in this work. The Government believes 
that the Registrar is best placed to take 
forward effectively and efficiently the 
work needed to oversee the 
implementation of the new regime. 
However, with the reduced emphasis on 
registration, the Government believes that 
the title of Data Protection Registrar is no 


longer suitable. The Government 
proposes to change it to “Data Protection 
Commissioner”. 


6.15 The Government intends to make 
clear in the Bill that the Commissioner has 
a general duty to promote good data 
protection practice. In connection with 
this duty, the Commissioner will be 


18 


enabled to carry out quality assessments 
of controllers’ data protection systems 
(but without the power to compel 
controllers’ involvement); and to propose 
voluntary codes of practice. Consistent 
with the Directive, the Commissioner will 
also be put under a duty to consider draft 
codes submitted to him, and, if he sees fit, 
seek data subjects’ views on them. 


CHAPTER 7 


TRANSFERS OF 


PERSONAL DATA TO 


THIRD COUNTRIES 
CAR TOL ES 
25 AND 26) 


7.1 The Government proposes that the 
new law should broadly correspond to 
articles 25 and 26 of the Directive with 
little elaboration. 


7.2 The controller will need to decide in 
the first instance on the adequacy of 
protection in third countries to which he 
proposes to export data. Where the 
supervisory authority considers the 
protection to be inadequate it will be able 
to issue an enforcement notice requiring 
the transfers to cease. 


7.43. The new law will require the 
supervisory authority to notify the 
European Commission and other EU 
Member States of cases where levels of 
protection in third countries are believed 
to be inadequate. 


BY 


7.4 The Government will consider 
further with the Data Protection Registrar 
whether the supervisory authority should 
have to maintain a central “data bank” of 
available information about levels of 
protection in third countries; and draw up 
lists of adequate safeguards and standard 
contractual clauses in accordance with 
article 26.2. A controller would be able to 
transfer to a third country which provides 
inadequate general protection where the 
particular data were handled in 
accordance with the safeguards drawn up 
by the supervisory authority. The 
supervisory authority would have to 
notify the arrangements it makes to the 
Commission. 


8.1 The Government is considering how 
to manage the transition from the old law 
to the new. The arrangements can be 
decided only when the detail of the new 
regime is established. 


8.2 Consistent with the need to protect 
individuals’ rights and with the 
practicalities of running overlapping 
regimes, the Government will use to the 
full extent the three years within which 
existing processing must be brought into 
full compliance with the Directive’s 
requirements. It will take a similar 


20 


approach to the extended transitional 
period for existing manual records (which 
applies only to articles 6, 7 and 8 of the 
Directive). 


8.3 In the spirit of the Council/ 
Commission Minutes Statement referred 
to in the consultation paper, the 
Government proposes that the new law 
should also contain a reserve power to 
deal with any problems which may arise at 
the end of the extended transitional 
period for existing manual records. 


RESPONSES TO THE HOME OFFICE 
CONSULTATION PAPER 

ON THE EC DATA PROTECTION 
DIRECTIVE (95/46/EC) 


1. INTRODUCTION 


m There were approximately 300 
responses to the Consultation 
Paper. 


# Respondents ranged from large 
multinational corporations to 
individuals with an interest in data 
protection. 


@ Respondents included both public 
and private sector bodies. 


2. LEGISLATIVE ROUTE 


m There was strong support for 
primary legislation. The reasons 
centred on the need to avoid the 
confusion that a dual regime may 
cause. 


3. CONTENT OF LEGISLATION 


m The majority requested clear and 
precise definitions to provide for as 
much certainty as possible. 


m They wanted the new legislation to 
resemble the existing Data 
Protection Act (DPA) as far as 
possible. 


# A significant minority suggested 
that a ‘copyout’ approach should 
be adopted, accompanied by 
explanatory guidance. 


4. SCOPE OF THE DIRECTIVE 


@ Many thought protection should be 
extended to information relating to 
dead people, at least for a period of 
time. 


21 


There was considerable concern 
over the definition of personal data 
which is broader than that in the 
DPA. Many wanted the approach in 
the DPA to be retained. 


The Directive applies only to 
activities within the scope of 
European Community law. 
Respondents were uncertain what 
this covered. 


5. MANUAL DATA 


= Most wanted a precise definition of 


manual data that made clear which 
records would be covered. 


Many thought the definition should 
be limited to files accessed by 
reference to the individual, either 
by name or personal identifier. 


Most wanted the Government to 
take advantage of the option to 
delay full application of the 
Directive to manual records for 12 
years from adoption of the 
Directive, but were concerned it 
would not be long enough. 


6. INFORMATION TO DATA 
SUBJECTS 


™ Many were concerned about the 


requirement under the Directive 
for controllers to provide certain 
information to data subjects where 
the data were not obtained directly 
from the data subject but from a 
third party. There is no equivalent 
requirement in the DPA. This was 
thought likely to be burdensome, 
especially by those organisations 
which purchase mailing lists or 
copies of the electoral roll. 


7. SUBJECT ACCESS 


m Many respondents wanted the data 
they hold to be exempt from 
subject access. 


= Acommon concern was the wish 
to protect information relating to 
third parties, especially sources of 
data, complainants or informers. 


# A large majority thought that the 
existing 40 day time period for 
responding to subject access 
requests should remain the same. 


- & Opinion on whether the £10 fee 
should be increased or not was 
divided. 


8. EXEMPTIONS 


m There were many requests for 
exemptions under the Directive. 


B A significant number of 
respondents referred to specific 
exemptions contained in the DPA 
and asked for identical exemptions 
to be introduced under the 
Directive. 


9. SENSITIVE DATA 


m Many respondents were concerned 
about the effect upon them of the 
special restrictions on the 
processing of sensitive data. 


10. THE MEDIA 
H Respondents from the media 

wanted the exemption for the 
media to be as wide as possible to 
ensure that their activities 
(particularly investigative 
journalism) would not be 
hampered by the provisions of the 
Directive. 


11. 
o 


Amongst other respondents there 
was concern that the media should 
not be given carte blanche. 


NOTIFICATION 


There was overwhelming support 
for simplification of the existing 
arrangements. 


Many thought manual records 
should not be subject to 
notification. 


Many respondents showed interest 
in the concept of an in-house data 
protection official but there was 
little commitment to use one. 


12. ENFORCEMENT 


There was considerable support for 
the existing enforcement 
mechanism. 


There were some suggestions that 
the Registrar should have greater 
powers of investigation. 


13. OVERSEAS TRANSFERS 


The main concern was a desire for 
certainty as to which countries 
have adequate data protection 
measures to allow for transfer of 
personal data to those countries. 


There was considerable concern 
that the Directive could hinder the 
competitiveness of UK companies 
unless a list of third countries with 
an adequate level of data protection 
was agreed centrally between 
member states. 


Many said that it would be almost 
impossible to apply the provisions 
of the Directive to the Internet. 


Printed in the UK for The Stationery Office Limited on behalf of the 
Controller of Her Majesty’s Stationery Office 


Dd 5066614 7/97 65536 22-0507 


Ord 20576 28/39280 


The|Stationery 
Office 


Published by The Stationery Office Limited 
and available from: 


The Publications Centre 

(Mail, telephone and fax orders only) 
PO Box 276, London SW8 5DT 
General enquiries 0171 873 0011 
Telephone orders 0171 873 9090 

Fax orders 0171 873 8200 


The Stationery Office Bookshops 

49 High Holborn, London WC1V 6HB 
(counter service and fax orders only) 
Fax 0171 831 1326 

68-69 Bull Street, Birmingham B4 6AD 
0121 236 9696 Fax 0121 236 9699 

33 Wine Street, Bristol BS1 2BO 

0117 926 4306 Fax 0117 929 4515 

9-21 Princess Street, Manchester M60 8AS 
0161 834 7201 Fax 0161 833 0634 

16 Arthur Street, Belfast BT1 4GD 
01232 238451 Fax 01232 235401 

The Stationery Office Oriel Bookshop, 
The Friary, Cardiff CF1 4AA 

01222 395548 Fax 01222 384347 

71 Lothian Road, Edinburgh EH3 9AZ 
(counter service only) 


In addition customers in Scotland may mail, ISBN 0-10-137252-3 


telephone or fax their orders to: 
Scottish Publication Sales, 
South Gyle Crescent, Edinburgh EH12 9EB 
0131 479 3141 Fax 0131 479 3142 
Accredited Agents 
(see Yellow Pages) 
9 °780 10 1°37 2527 


and through good booksellers 


